C 为什么在这段代码中会出现缓冲区溢出?
除了关闭一次分配、内存泄漏和不必要的重复C 为什么在这段代码中会出现缓冲区溢出?,c,string,pointers,stack,buffer-overflow,C,String,Pointers,Stack,Buffer Overflow,除了关闭一次分配、内存泄漏和不必要的重复count和arr->top之外,还有一个更严重的问题 假设第二个字符与第一个字符相同。索引减少到-1。然后,当您检查下一个字符时,它不再检查上一个字符,而是索引超出范围 整个技术都是错误的。与其玩指数游戏,不如增加它 Runtime Error ================================================================= ==29==ERROR: AddressSanitizer: heap-buff
count
和arr->top
之外,还有一个更严重的问题
假设第二个字符与第一个字符相同。索引减少到-1
。然后,当您检查下一个字符时,它不再检查上一个字符,而是索引超出范围
整个技术都是错误的。与其玩指数游戏,不如增加它
Runtime Error
=================================================================
==29==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000004f at pc 0x0000004018ae bp 0x7ffed3a16300 sp 0x7ffed3a162f8
READ of size 1 at 0x60200000004f thread T0
#2 0x7f9d2765f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
0x60200000004f is located 1 bytes to the left of 6-byte region [0x602000000050,0x602000000056)
allocated by thread T0 here:
#0 0x7f9d28ae92b0 in malloc (/usr/local/lib64/libasan.so.5+0xe82b0)
#3 0x7f9d2765f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 07 fa fa fa 00 00 fa[fa]06 fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29==ABORTING
#包括
#包括
#包括
char*removeDuplicates(char*S)
{
char*arr=malloc(strlen(S)+1);//通过1修复关闭
如果(arr==NULL){
出口(1);
}
整数计数=0;
int指数=0;
而(S[index]!='\0'){
int-duplic=0;
而(S[index+duplic+1]==S[index]){
duplic++;
}
if(duplic==0){
arr[count++]=S[index];
}
索引+=duplic+1;
}
arr[count]='\0';
返回arr;
}
int main()
{
字符s[100]=“”;
while(strcmp(s,“q”)!=0){
scanf(“%99[^\n]”,s);
char*result=移除的副本;
printf(“[%s]\n”,结果);
自由(结果);
}
}
试运行:
aaab
[乙]
缩写
[a]
阿巴
[机管局]
AAAAA
[]
Q
[q]
除了一次关闭分配、内存泄漏和不必要的
count
和arr->top
复制之外,还有一个更严重的问题
假设第二个字符与第一个字符相同。索引减少到-1
。然后,当您检查下一个字符时,它不再检查上一个字符,而是索引超出范围
整个技术都是错误的。与其玩指数游戏,不如增加它
Runtime Error
=================================================================
==29==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000004f at pc 0x0000004018ae bp 0x7ffed3a16300 sp 0x7ffed3a162f8
READ of size 1 at 0x60200000004f thread T0
#2 0x7f9d2765f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
0x60200000004f is located 1 bytes to the left of 6-byte region [0x602000000050,0x602000000056)
allocated by thread T0 here:
#0 0x7f9d28ae92b0 in malloc (/usr/local/lib64/libasan.so.5+0xe82b0)
#3 0x7f9d2765f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 07 fa fa fa 00 00 fa[fa]06 fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29==ABORTING
#包括
#包括
#包括
char*removeDuplicates(char*S)
{
char*arr=malloc(strlen(S)+1);//通过1修复关闭
如果(arr==NULL){
出口(1);
}
整数计数=0;
int指数=0;
而(S[index]!='\0'){
int-duplic=0;
而(S[index+duplic+1]==S[index]){
duplic++;
}
if(duplic==0){
arr[count++]=S[index];
}
索引+=duplic+1;
}
arr[count]='\0';
返回arr;
}
int main()
{
字符s[100]=“”;
while(strcmp(s,“q”)!=0){
scanf(“%99[^\n]”,s);
char*result=移除的副本;
printf(“[%s]\n”,结果);
自由(结果);
}
}
试运行:
aaab
[乙]
缩写
[a]
阿巴
[机管局]
AAAAA
[]
Q
[q]
为什么要为此使用单独的结构?只需在函数中声明top和arr。
malloc(sizeof(char)*strlen(S))如果未删除任何字符,则代码>将按1关闭。您编写的NUL
终止符不允许使用。添加到@klutt的注释中,您在notfree
ingptr
中存在内存泄漏,这不能在函数外部完成。如果(ptr->arr[ptr->top]==S[i])第一次为真(ptr->top==0),则ptr->top将设置为-1。负值将在下一次循环中用作数组索引。@jmq这就是我的答案。为什么要为此使用单独的结构?只需在函数中声明top和arr。malloc(sizeof(char)*strlen(S))如果未删除任何字符,则代码>将按1关闭。您编写的NUL
终止符不允许使用。添加到@klutt的注释中,您在notfree
ingptr
中存在内存泄漏,这不能在函数外部完成。如果(ptr->arr[ptr->top]==S[i])第一次为真(ptr->top==0),则ptr->top将设置为-1。在下一次循环中,负值将被用作数组索引。@jmq这是我的答案。我认为问题不清楚,以这个例子为例:示例1:输入:“abbaca”输出:“ca”解释:例如,在“abbaca”中,我们可以删除“bb”,因为字母相邻且相等,这是唯一可能的行动。这个动作的结果是字符串是“aaca”,其中只有“aa”是可能的,所以最后的字符串是“ca”。@AdityaNaitan我在误解任务后编辑了代码。我认为问题不清楚,以这个例子为例:例1:输入:“abbaca”输出:“ca”解释:例如,在“abbaca”中,我们可以删除“bb”因为字母是相邻且相等的,这是唯一可能的移动。这个移动的结果是字符串是“aaca”,其中只有“aa”是可能的,所以最后的字符串是“ca”。@AdityaNaitan我在任务完成后编辑了代码。
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char *removeDuplicates(char * S)
{
char *arr = malloc(strlen(S) + 1); // fix the off-by-one
if (arr == NULL) {
exit(1);
}
int count = 0;
int index = 0;
while(S[index] != '\0') {
int duplic = 0;
while(S[index + duplic + 1] == S[index]) {
duplic++;
}
if(duplic == 0) {
arr[count++] = S[index];
}
index += duplic + 1;
}
arr[count] = '\0';
return arr;
}
int main()
{
char s[100] = "";
while(strcmp(s, "q") != 0) {
scanf(" %99[^\n]", s);
char *result = removeDuplicates(s);
printf("[%s]\n", result);
free(result);
}
}
aaab
[b]
abbb
[a]
abba
[aa]
aabbaa
[]
q
[q]